Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cyber security tools tend to pile up. Here’s how to rationalize them

Andrew Gilman, Chief Operating Officer, Cybric | March 1, 2016
It’s a cliché, but “change is the only constant.” Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.

Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Executive Networks Media editors.

It’s a cliché, but “change is the only constant.”  Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.

Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.

If your organization has typically purchased every tool, the practice is a great way to spot redundancies. For those who have postponed major purchases, the rationalization process will highlight gaps or where too little attention has been paid and there may be vulnerabilities.   Put simply, the best rationalization projects enhance new and more customer-centric ways of delivering services by seamlessly integrating IT into business processes - even as demand grows exponentially. 

Here are the key steps to security rationalization:

* Define your goal and work backwards.  The first step in security rationalization is to define your goal -- the desired end-state of your overall cybersecurity posture. The same goal-defining concept should be applied to an overall resiliency plan in order to shore up business. While this goal may vary slightly, a solid security rationalization exercise should enable you to answer the question: How secure are we?

It may make sense to gain buy-in across departments by drafting a charter with a mandate driving the project. The project should be scoped, allocated resources and a budget, and governance systems should be put in place to maintain control.  It’s equally important to understand how secure the entire enterprise is, as well as how secure individual systems are – all the way down to the source code level (i.e. GITHUB Repositories), if you have in-house development.

* Admit your shortcomings.  Companies undertaking security rationalization typically fall into four buckets: those that have either overinvested, underinvested, don’t know the extent of their security capabilities, or are faced with new regulations that require them to demonstrate competency.  

Once you have sign off on your assignment you should take inventory of your existing portfolio. This should involve more than simply looking at toolsets.  It should take into account people and their skills, processes and systems. You’ll be able to determine, for example, whether your company has vulnerability scanners, firewalls, applications that are protected or a system of apps that aren’t protected.

Next, codify everything into multiple tiers based on needs. Your Tier 1 may need a system of tools that Tier 2 does not require. There may be an additional Tier that doesn’t fall into any category and requires its own subset of tools or protection.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.